For those unfamiliar with Ham Radio, there are lots of fancy tools these days to make it easier for the radio operator. But enthusiasts still like to get back to basics, and one way to do this is to participate in Straight Key Night. This is when you pull out your traditional Morse code keyer [...]

For [Davide Gironi] made a holiday tie tack this year. It’s not made to look like Santa Claus, Frosty, or a Christmas tree. He simply wishes you a Merry Christmas (‘Buon Natale’ in Italian) by flashing the message in Morse code. Two LEDs have been added to a plain tie tack. It is tethered to the [...]

To the casual observer this flower looks nice as its illuminated center fades in and out. But there’s hidden meaning to that light. Some of the blinks are longer than others; this flower is using Morse Code. [Renaud Schleck] wanted to try a few different things with his MSP430 microcontroller. He decided on an LED [...]

Zero Day Initiative Advisory 12-202 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable products utilizing the Oracle Outside In technology. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of WordPerfect files. When parsing font records the code within vswp5.dll does not validate the datasize value prior to performing arithmetic on it. The result is used to make a heap allocation that can be undersized which can be leveraged to corrupt memory leading to arbitrary code execution under the context of the user running the application.

Zero Day Initiative Advisory 12-202 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable products utilizing the Oracle Outside In technology. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of WordPerfect files. When parsing font records the code within vswp5.dll does not validate the datasize value prior to performing arithmetic on it. The result is used to make a heap allocation that can be undersized which can be leveraged to corrupt memory leading to arbitrary code execution under the context of the user running the application.

Zero Day Initiative Advisory 12-202 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable products utilizing the Oracle Outside In technology. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of WordPerfect files. When parsing font records the code within vswp5.dll does not validate the datasize value prior to performing arithmetic on it. The result is used to make a heap allocation that can be undersized which can be leveraged to corrupt memory leading to arbitrary code execution under the context of the user running the application.

Zero Day Initiative Advisory 12-197 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the java.beans.Expression class. Due to unsafe handling of reflection of privileged classes inside the Expression class it is possible for untrusted code to gain access to privileged methods and properties. This can result in remote code execution under the context of the current process.

Zero Day Initiative Advisory 12-197 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the java.beans.Expression class. Due to unsafe handling of reflection of privileged classes inside the Expression class it is possible for untrusted code to gain access to privileged methods and properties. This can result in remote code execution under the context of the current process.

Zero Day Initiative Advisory 12-197 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the java.beans.Expression class. Due to unsafe handling of reflection of privileged classes inside the Expression class it is possible for untrusted code to gain access to privileged methods and properties. This can result in remote code execution under the context of the current process.

Here’s an interesting tip that can help improve your ability to write assembly code. In an effort to remove the complexity of assembly code for an AVR project [Quinn Dunki] figured out how to use macros when writing AVR code with the GNU toolchain. Anyone using AVR-GCC should keep this in mind if they ever [...]

This Metasploit module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK SERVICE privileges.

This Metasploit module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK SERVICE privileges.

This Metasploit module exploits a vulnerability in Ektron CMS 8.02 (before SP5). The vulnerability exists due to the insecure usage of XslCompiledTransform, using a XSLT controlled by the user. The module has been tested successfully on Ektron CMS 8.02 over Windows 2003 SP2, which allows to execute arbitrary code with NETWORK SERVICE privileges.

This crew of high schoolers built a sorting robot for the Smart Young Mindz challenge. We got pretty excited when hearing that it sorts plastic by its recycling code, but unfortunately this isn’t quite what it’s made out to be. The device uses an RFID code on each product to figure out where it goes. Their [...]

Ubuntu Security Notice 1636-1 - Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and Andrew McCreight discovered several memory corruption flaws in Thunderbird. If a user were tricked into opening a malicious website and had JavaScript enabled, an attacker could exploit these to execute arbitrary JavaScript code within the context of another website or arbitrary code as the user invoking the program. Atte Kettunen discovered a buffer overflow while rendering GIF format images. An attacker could exploit this to possibly execute arbitrary code as the user invoking Thunderbird. Various other issues were also addressed.

Ubuntu Security Notice 1636-1 - Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and Andrew McCreight discovered several memory corruption flaws in Thunderbird. If a user were tricked into opening a malicious website and had JavaScript enabled, an attacker could exploit these to execute arbitrary JavaScript code within the context of another website or arbitrary code as the user invoking the program. Atte Kettunen discovered a buffer overflow while rendering GIF format images. An attacker could exploit this to possibly execute arbitrary code as the user invoking Thunderbird. Various other issues were also addressed.

Ubuntu Security Notice 1636-1 - Gary Kwong, Jesse Ruderman, Christian Holler, Bob Clary, Kyle Huey, Ed Morley, Chris Lord, Boris Zbarsky, Julian Seward, Bill McCloskey, and Andrew McCreight discovered several memory corruption flaws in Thunderbird. If a user were tricked into opening a malicious website and had JavaScript enabled, an attacker could exploit these to execute arbitrary JavaScript code within the context of another website or arbitrary code as the user invoking the program. Atte Kettunen discovered a buffer overflow while rendering GIF format images. An attacker could exploit this to possibly execute arbitrary code as the user invoking Thunderbird. Various other issues were also addressed.

This Metasploit module abuses a lack of authorization in the NetIQ Privileged User Manager service (unifid.exe) to execute arbitrary perl code. The problem exists in the ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.

This Metasploit module abuses a lack of authorization in the NetIQ Privileged User Manager service (unifid.exe) to execute arbitrary perl code. The problem exists in the ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.

This Metasploit module abuses a lack of authorization in the NetIQ Privileged User Manager service (unifid.exe) to execute arbitrary perl code. The problem exists in the ldapagnt module. The module has been tested successfully on NetIQ PUM 2.3.1 over Windows 2003 SP2, which allows to execute arbitrary code with SYSTEM privileges.

Zero Day Initiative Advisory 12-186 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of RTF files. The code responsible for lexing control words from the input file does not properly validate that all objects are properly defined. By removing terminating values within an RTF file an attacker can cause the program to re-use a freed object. Combined with basic memory layout control an attacker can abuse this situation to achieve code execution under the context of the user running the application.

Zero Day Initiative Advisory 12-186 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of RTF files. The code responsible for lexing control words from the input file does not properly validate that all objects are properly defined. By removing terminating values within an RTF file an attacker can cause the program to re-use a freed object. Combined with basic memory layout control an attacker can abuse this situation to achieve code execution under the context of the user running the application.

Zero Day Initiative Advisory 12-186 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of RTF files. The code responsible for lexing control words from the input file does not properly validate that all objects are properly defined. By removing terminating values within an RTF file an attacker can cause the program to re-use a freed object. Combined with basic memory layout control an attacker can abuse this situation to achieve code execution under the context of the user running the application.

Hack.me is a FREE, community based project powered by eLearnSecurity. The community allows you to build, host and share vulnerable web application code for educational and research purposes. It aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online. The platform is available...

Authors: Cedric BailNicolas BoulayTags: hardware hackingEvent: Chaos Communication Congress 18th (18C3) 2001Abstract: The goal of the project is to design a free cpu core (free in the sense of "freedom", not free of charge). The CPU is written in VHDL and all the source code and documentation will be available to whoever wants to build one under a GNU licence (or very close to). The contributors want to create a new standard with a good compromise between cost and performance. Nowadays, the instruction set is defined and most integer execution units (computational blocks) are under design. The main problem is the lack of free synthesis tools (to translate VHDL code into a chip mask) and an enforceable GPL-like licence (electronic circuits obey to specific laws). We will present all the key issues in the design of a cpu and the global architecture of the F-cpu.

Authors: Cedric BailNicolas BoulayYann GuidonTags: technologyEvent: Chaos Communication Congress 19th (19C3) 2002Abstract: F-CPU is not dead : it is stable since 2000 and some source code exists. The VHDL tool chain problems are slowly solved and new software is written : the goal of designing a microprocessor only with Free Software is not utopic anymore. Some french F-CPU contributors will present a few architectural aspects, some code examples and the available (incomplete) software suite.

This allows remote attackers to insert and execute arbitrary PHP code via "complex curly syntax" in the char_repl parameter, which is inserted into a regular expression that is processed by the preg_replace function with the eval switch.

Vulnerabilities exist in EMC NMM that could potentially be exploited by a malicious user to execute arbitrary code. Also, there is a risk that sensitive information could be disclosed under specific circumstances described in the details below.

Vulnerabilities exist in EMC NMM that could potentially be exploited by a malicious user to execute arbitrary code. Also, there is a risk that sensitive information could be disclosed under specific circumstances described in the details below.

Vulnerabilities exist in EMC NMM that could potentially be exploited by a malicious user to execute arbitrary code. Also, there is a risk that sensitive information could be disclosed under specific circumstances described in the details below.

We’ve already given an overview of the Stellaris Launchpad, but lets look at the first steps to running code on the device. First we’ll get the development software working, then we’ll build and run a very simple example. TI allows use of the full version of their IDE, Code Composer Studio, with the Launchpad’s on-board [...]

This Metasploit module exploits a code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. It is packaged in several products or GE, such as Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42. When the control is installed with these products, the function "LaunchTriPane" will use ShellExecute to launch "hh.exe", with user controlled data as parameters. Because of this, the "-decompile" option can be abused to write arbitrary files on the remote system. Code execution can be achieved by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management Instrumentation service to execute it. Please note that this module currently only works for Windows before Vista. On the other hand, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3

This Metasploit module exploits a code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. It is packaged in several products or GE, such as Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42. When the control is installed with these products, the function "LaunchTriPane" will use ShellExecute to launch "hh.exe", with user controlled data as parameters. Because of this, the "-decompile" option can be abused to write arbitrary files on the remote system. Code execution can be achieved by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management Instrumentation service to execute it. Please note that this module currently only works for Windows before Vista. On the other hand, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3

This Metasploit module exploits a code execution vulnerability in the KeyScript ActiveX control from keyhelp.ocx. It is packaged in several products or GE, such as Proficy Historian 4.5, 4.0, 3.5, and 3.1, Proficy HMI/SCADA 5.1 and 5.0, Proficy Pulse 1.0, Proficy Batch Execution 5.6, and SI7 I/O Driver between 7.20 and 7.42. When the control is installed with these products, the function "LaunchTriPane" will use ShellExecute to launch "hh.exe", with user controlled data as parameters. Because of this, the "-decompile" option can be abused to write arbitrary files on the remote system. Code execution can be achieved by first uploading the payload to the remote machine, and then upload another mof file, which enables Windows Management Instrumentation service to execute it. Please note that this module currently only works for Windows before Vista. On the other hand, the target host must have the WebClient service (WebDAV Mini-Redirector) enabled. It is enabled and automatically started by default on Windows XP SP3

Red Hat Security Advisory 2012-1350-01 - Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. Two flaws in Firefox could allow a malicious website to bypass intended restrictions, possibly leading to information disclosure, or Firefox executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution.

Red Hat Security Advisory 2012-1350-01 - Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. Two flaws in Firefox could allow a malicious website to bypass intended restrictions, possibly leading to information disclosure, or Firefox executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution.

Red Hat Security Advisory 2012-1350-01 - Mozilla Firefox is an open source web browser. XULRunner provides the XUL Runtime environment for Mozilla Firefox. Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Firefox to crash or, potentially, execute arbitrary code with the privileges of the user running Firefox. Two flaws in Firefox could allow a malicious website to bypass intended restrictions, possibly leading to information disclosure, or Firefox executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution.

Red Hat Security Advisory 2012-1351-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. Two flaws in Thunderbird could allow malicious content to bypass intended restrictions, possibly leading to information disclosure, or Thunderbird executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution.

Red Hat Security Advisory 2012-1351-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. Several flaws were found in the processing of malformed content. Malicious content could cause Thunderbird to crash or, potentially, execute arbitrary code with the privileges of the user running Thunderbird. Two flaws in Thunderbird could allow malicious content to bypass intended restrictions, possibly leading to information disclosure, or Thunderbird executing arbitrary code. Note that the information disclosure issue could possibly be combined with other flaws to achieve arbitrary code execution.

We’re not really interested in building a dummy load like this one for ourselves. But the concepts behind its design make for a nice little mental exercise as you read your way through the build description. [Pabr] wanted to build a dummy load which could be used to test a cheaply made gas generator. He [...]

Authors: Markus SchaberTags: software developmentEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Like in the last year, examples of strange programming (art)work will be shown. In addition to the funny and sportive disciplines known from last year, some examples of painful production code will be presented. Wie letztes Jahr werden wieder beispielhaft grenzwertige Programmier- (kunst)werke beleuchtet. Neben den spassig-sportlichen "Disziplinen" werden diesmal auch schmerzhafte Beispiele von Produktivcode vorgestellt. The first part of the presentation will - similar to last years presentation - shed some light on the funny and sportive disciplines of the art of programming. Besides new examples in disciplines that were presented last year, like obfuscated programming and shortest code, core wars and demo coding are new in the agenda. In core wars, we have a bunch of programmes running in parallel in the same memory. (This is a typical Von-Neumann machine with multitasking, but without memory protection.) The goal is to create a program that survives as long as possible, but at the same time quickly erases the other programs from memory. Demo coders try to exploit a given, limited (and often legacy) hardware through the use of crafty software, and thus create unexpected effects and surprising results. On so-called demo partys, those programs are presented, and sometimes even some high valued prices are put up. The winners are e. G. 3D first person shooters in 64k and video clips with sound in 4k. In the second part of the lessons, some creatively designed programming languages will be introduced. Especially, the two projects "Argh!" and "repsub" will be presented. Both of them evolved in the orbit of the CCC. Argh! and its derivative Aargh! are somehow similar to BeFunge in that they are two dimensional virtual machines. Argh! and Aargh! were both adjusted to fit the special needs of customary unix text mode terminals. Repsub has the high ideal to be a democratic programming environment. All memory cells enjoy equal rights, and can be processed highly parallel. It is mathematically proved that this pattern-matching and replacement based programming language is touring complete. Finally, the third part will introduce some extra painful examples of production code. A fertile source for those are some commercially developed projects that were open-sourced afterwards. From time to time, those create the impression that the developers lost control of their own code. They now hope the community will help them to find the way out of their maintainance nightmare. The CCC ErfA Group Ulm is planning to hold a shortest C coding contest on this Congress. We learned our lession from the last years contest, so the rules will be much simplified. Der erste Teil des Vortrages beleuchtet - ähnlich wie der letztjährige Vortrag - die spassig-sportlichen Disziplinen der Programmierkunst. Neben den bereits im letzten Jahr beleuchteten Disziplinen wie obfuscated Programming und shortest Code stehen auch Core Wars und Demo Coding auf dem Programm.

Authors: Markus SchaberTags: software developmentEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Like in the last year, examples of strange programming (art)work will be shown. In addition to the funny and sportive disciplines known from last year, some examples of painful production code will be presented. Wie letztes Jahr werden wieder beispielhaft grenzwertige Programmier- (kunst)werke beleuchtet. Neben den spassig-sportlichen "Disziplinen" werden diesmal auch schmerzhafte Beispiele von Produktivcode vorgestellt. The first part of the presentation will - similar to last years presentation - shed some light on the funny and sportive disciplines of the art of programming. Besides new examples in disciplines that were presented last year, like obfuscated programming and shortest code, core wars and demo coding are new in the agenda. In core wars, we have a bunch of programmes running in parallel in the same memory. (This is a typical Von-Neumann machine with multitasking, but without memory protection.) The goal is to create a program that survives as long as possible, but at the same time quickly erases the other programs from memory. Demo coders try to exploit a given, limited (and often legacy) hardware through the use of crafty software, and thus create unexpected effects and surprising results. On so-called demo partys, those programs are presented, and sometimes even some high valued prices are put up. The winners are e. G. 3D first person shooters in 64k and video clips with sound in 4k. In the second part of the lessons, some creatively designed programming languages will be introduced. Especially, the two projects "Argh!" and "repsub" will be presented. Both of them evolved in the orbit of the CCC. Argh! and its derivative Aargh! are somehow similar to BeFunge in that they are two dimensional virtual machines. Argh! and Aargh! were both adjusted to fit the special needs of customary unix text mode terminals. Repsub has the high ideal to be a democratic programming environment. All memory cells enjoy equal rights, and can be processed highly parallel. It is mathematically proved that this pattern-matching and replacement based programming language is touring complete. Finally, the third part will introduce some extra painful examples of production code. A fertile source for those are some commercially developed projects that were open-sourced afterwards. From time to time, those create the impression that the developers lost control of their own code. They now hope the community will help them to find the way out of their maintainance nightmare. The CCC ErfA Group Ulm is planning to hold a shortest C coding contest on this Congress. We learned our lession from the last years contest, so the rules will be much simplified. Der erste Teil des Vortrages beleuchtet - ähnlich wie der letztjährige Vortrag - die spassig-sportlichen Disziplinen der Programmierkunst. Neben den bereits im letzten Jahr beleuchteten Disziplinen wie obfuscated Programming und shortest Code stehen auch Core Wars und Demo Coding auf dem Programm.

Authors: Markus SchaberTags: software developmentEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Like in the last year, examples of strange programming (art)work will be shown. In addition to the funny and sportive disciplines known from last year, some examples of painful production code will be presented. Wie letztes Jahr werden wieder beispielhaft grenzwertige Programmier- (kunst)werke beleuchtet. Neben den spassig-sportlichen "Disziplinen" werden diesmal auch schmerzhafte Beispiele von Produktivcode vorgestellt. The first part of the presentation will - similar to last years presentation - shed some light on the funny and sportive disciplines of the art of programming. Besides new examples in disciplines that were presented last year, like obfuscated programming and shortest code, core wars and demo coding are new in the agenda. In core wars, we have a bunch of programmes running in parallel in the same memory. (This is a typical Von-Neumann machine with multitasking, but without memory protection.) The goal is to create a program that survives as long as possible, but at the same time quickly erases the other programs from memory. Demo coders try to exploit a given, limited (and often legacy) hardware through the use of crafty software, and thus create unexpected effects and surprising results. On so-called demo partys, those programs are presented, and sometimes even some high valued prices are put up. The winners are e. G. 3D first person shooters in 64k and video clips with sound in 4k. In the second part of the lessons, some creatively designed programming languages will be introduced. Especially, the two projects "Argh!" and "repsub" will be presented. Both of them evolved in the orbit of the CCC. Argh! and its derivative Aargh! are somehow similar to BeFunge in that they are two dimensional virtual machines. Argh! and Aargh! were both adjusted to fit the special needs of customary unix text mode terminals. Repsub has the high ideal to be a democratic programming environment. All memory cells enjoy equal rights, and can be processed highly parallel. It is mathematically proved that this pattern-matching and replacement based programming language is touring complete. Finally, the third part will introduce some extra painful examples of production code. A fertile source for those are some commercially developed projects that were open-sourced afterwards. From time to time, those create the impression that the developers lost control of their own code. They now hope the community will help them to find the way out of their maintainance nightmare. The CCC ErfA Group Ulm is planning to hold a shortest C coding contest on this Congress. We learned our lession from the last years contest, so the rules will be much simplified. Der erste Teil des Vortrages beleuchtet - ähnlich wie der letztjährige Vortrag - die spassig-sportlichen Disziplinen der Programmierkunst. Neben den bereits im letzten Jahr beleuchteten Disziplinen wie obfuscated Programming und shortest Code stehen auch Core Wars und Demo Coding auf dem Programm.

Authors: Markus SchaberTags: software developmentEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: Like in the last year, examples of strange programming (art)work will be shown. In addition to the funny and sportive disciplines known from last year, some examples of painful production code will be presented. Wie letztes Jahr werden wieder beispielhaft grenzwertige Programmier- (kunst)werke beleuchtet. Neben den spassig-sportlichen "Disziplinen" werden diesmal auch schmerzhafte Beispiele von Produktivcode vorgestellt. The first part of the presentation will - similar to last years presentation - shed some light on the funny and sportive disciplines of the art of programming. Besides new examples in disciplines that were presented last year, like obfuscated programming and shortest code, core wars and demo coding are new in the agenda. In core wars, we have a bunch of programmes running in parallel in the same memory. (This is a typical Von-Neumann machine with multitasking, but without memory protection.) The goal is to create a program that survives as long as possible, but at the same time quickly erases the other programs from memory. Demo coders try to exploit a given, limited (and often legacy) hardware through the use of crafty software, and thus create unexpected effects and surprising results. On so-called demo partys, those programs are presented, and sometimes even some high valued prices are put up. The winners are e. G. 3D first person shooters in 64k and video clips with sound in 4k. In the second part of the lessons, some creatively designed programming languages will be introduced. Especially, the two projects "Argh!" and "repsub" will be presented. Both of them evolved in the orbit of the CCC. Argh! and its derivative Aargh! are somehow similar to BeFunge in that they are two dimensional virtual machines. Argh! and Aargh! were both adjusted to fit the special needs of customary unix text mode terminals. Repsub has the high ideal to be a democratic programming environment. All memory cells enjoy equal rights, and can be processed highly parallel. It is mathematically proved that this pattern-matching and replacement based programming language is touring complete. Finally, the third part will introduce some extra painful examples of production code. A fertile source for those are some commercially developed projects that were open-sourced afterwards. From time to time, those create the impression that the developers lost control of their own code. They now hope the community will help them to find the way out of their maintainance nightmare. The CCC ErfA Group Ulm is planning to hold a shortest C coding contest on this Congress. We learned our lession from the last years contest, so the rules will be much simplified. Der erste Teil des Vortrages beleuchtet - ähnlich wie der letztjährige Vortrag - die spassig-sportlichen Disziplinen der Programmierkunst. Neben den bereits im letzten Jahr beleuchteten Disziplinen wie obfuscated Programming und shortest Code stehen auch Core Wars und Demo Coding auf dem Programm.

Authors: Felix DomkeMichael SteilRob ReilinkTags: gamesEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: The GameCube - what it is made of and how it can be hacked. We'll describe different approachs of getting own code onto the GameCube and things that you can do with a GameCube under your control. Of course it runs Linux. A GameCube has very interesting hardware (PowerPC, G3-style, processor and fast 3d acceleration), but unfortunatetly it's "closed" because it's a game console and not a computer. But - of course - this shouldn't prevent anyone running Linux on it, as it has very nice hardware which is worth to exploit with something useful and more interesting than games. We will describe the GameCube's hardware in detail (including the stuff you won't read elsewhere), and show ways how to get your own code onto the cube. We will explain different approaches of software hacks (PSO, Action Replay Loader) and exploits as well a hardware modification (exchanging the IPL). We show how own code can be developed for the GameCube, and finally present Linux running on the Gamecube.

Authors: Felix DomkeMichael SteilRob ReilinkTags: gamesEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: The GameCube - what it is made of and how it can be hacked. We'll describe different approachs of getting own code onto the GameCube and things that you can do with a GameCube under your control. Of course it runs Linux. A GameCube has very interesting hardware (PowerPC, G3-style, processor and fast 3d acceleration), but unfortunatetly it's "closed" because it's a game console and not a computer. But - of course - this shouldn't prevent anyone running Linux on it, as it has very nice hardware which is worth to exploit with something useful and more interesting than games. We will describe the GameCube's hardware in detail (including the stuff you won't read elsewhere), and show ways how to get your own code onto the cube. We will explain different approaches of software hacks (PSO, Action Replay Loader) and exploits as well a hardware modification (exchanging the IPL). We show how own code can be developed for the GameCube, and finally present Linux running on the Gamecube.

Authors: Felix DomkeMichael SteilRob ReilinkTags: gamesEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: The GameCube - what it is made of and how it can be hacked. We'll describe different approachs of getting own code onto the GameCube and things that you can do with a GameCube under your control. Of course it runs Linux. A GameCube has very interesting hardware (PowerPC, G3-style, processor and fast 3d acceleration), but unfortunatetly it's "closed" because it's a game console and not a computer. But - of course - this shouldn't prevent anyone running Linux on it, as it has very nice hardware which is worth to exploit with something useful and more interesting than games. We will describe the GameCube's hardware in detail (including the stuff you won't read elsewhere), and show ways how to get your own code onto the cube. We will explain different approaches of software hacks (PSO, Action Replay Loader) and exploits as well a hardware modification (exchanging the IPL). We show how own code can be developed for the GameCube, and finally present Linux running on the Gamecube.

Authors: Daniel BartlettTags: GoogleEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: A look at methods of locating vulnerable sites via google and exploiting them with no user interaction and how to prevent your code being vulnerable. People learn a little about scripting for the web and hardly ever about security. This leaves us with many issues on many sites. The simplest of things get overlooked and can often lead to full system compromise. Technically this talk focuses on PHP since it is extreamly commonplace and people pick it up reasonably quickly and easily. Looking at the largest and smallest of errors in code, explaining how to exploit, how to rectify and how to inform. Many people overlook that, disclose what you find, tell the owner of the site! We will discuss the scripts and programs that have been developed for automating the whole process, even down to logging all the info in a nice little web application.

Authors: Daniel BartlettTags: GoogleEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: A look at methods of locating vulnerable sites via google and exploiting them with no user interaction and how to prevent your code being vulnerable. People learn a little about scripting for the web and hardly ever about security. This leaves us with many issues on many sites. The simplest of things get overlooked and can often lead to full system compromise. Technically this talk focuses on PHP since it is extreamly commonplace and people pick it up reasonably quickly and easily. Looking at the largest and smallest of errors in code, explaining how to exploit, how to rectify and how to inform. Many people overlook that, disclose what you find, tell the owner of the site! We will discuss the scripts and programs that have been developed for automating the whole process, even down to logging all the info in a nice little web application.

Authors: Daniel BartlettTags: GoogleEvent: Chaos Communication Congress 21th (21C3) 2004Abstract: A look at methods of locating vulnerable sites via google and exploiting them with no user interaction and how to prevent your code being vulnerable. People learn a little about scripting for the web and hardly ever about security. This leaves us with many issues on many sites. The simplest of things get overlooked and can often lead to full system compromise. Technically this talk focuses on PHP since it is extreamly commonplace and people pick it up reasonably quickly and easily. Looking at the largest and smallest of errors in code, explaining how to exploit, how to rectify and how to inform. Many people overlook that, disclose what you find, tell the owner of the site! We will discuss the scripts and programs that have been developed for automating the whole process, even down to logging all the info in a nice little web application.

Reaver Pro Livedisc has a named pipe called /tmp/exe that is world writable and any input to it is passed to the shell interpreter, where it is executed as root. This provides a good demonstration as to why using named pipes to execute commands in applications is a bad idea. This exploit spawns a bindshell on localhost:4444 then connects to it.

Reaver Pro Livedisc has a named pipe called /tmp/exe that is world writable and any input to it is passed to the shell interpreter, where it is executed as root. This provides a good demonstration as to why using named pipes to execute commands in applications is a bad idea. This exploit spawns a bindshell on localhost:4444 then connects to it.

Reaver Pro Livedisc has a named pipe called /tmp/exe that is world writable and any input to it is passed to the shell interpreter, where it is executed as root. This provides a good demonstration as to why using named pipes to execute commands in applications is a bad idea. This exploit spawns a bindshell on localhost:4444 then connects to it.

Authors: Meike RichterTags: technologyEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: What has software to do with development policy? A lot. Software is not only about code, it is about rights, control, transparency, freedom and power. Poorly educated people with little financial resources, mostly located in the Southern hemisphere, have little chance to have access to information and communication technologies (ICTs) and to the Internet. Since the mid-1990s, the so-called digital divide appeared on the political agenda. By providing access to ICTs, it is hoped to promote economical, political and social development as well. This lecture explains the digital divide and its implications and gives an overview of the different positions within the discourse. There are three different modes of argumentation: the optimists claiming the new ICTs could strengthen the voice of the poor and developing nations and of marginalized groups; sceptics who believe that new technology alone will make little difference; and pessimists who emphasize that digital technologies will further exacerbate the existing North-South divide. So far, the choice of the software model has hardly played a role in digital development policy. Proprietary architectures are the rule. Only in recent time, the nature of code becomes an issue. E.g., the country of Brazil is going pro-Linux. Free/Open Source Software has a lot of advantages for poor and developing nations: it offers access to knowledge and information engineering skills of the most developed countries, it promotes technological independence and it is for free. So how come that GNU/Linux is not being used all over the place? Why is Brazil's approach towards free code something completely new? This lecture explains why software becomes an increasingly important political issue.

Authors: Meike RichterTags: technologyEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: What has software to do with development policy? A lot. Software is not only about code, it is about rights, control, transparency, freedom and power. Poorly educated people with little financial resources, mostly located in the Southern hemisphere, have little chance to have access to information and communication technologies (ICTs) and to the Internet. Since the mid-1990s, the so-called digital divide appeared on the political agenda. By providing access to ICTs, it is hoped to promote economical, political and social development as well. This lecture explains the digital divide and its implications and gives an overview of the different positions within the discourse. There are three different modes of argumentation: the optimists claiming the new ICTs could strengthen the voice of the poor and developing nations and of marginalized groups; sceptics who believe that new technology alone will make little difference; and pessimists who emphasize that digital technologies will further exacerbate the existing North-South divide. So far, the choice of the software model has hardly played a role in digital development policy. Proprietary architectures are the rule. Only in recent time, the nature of code becomes an issue. E.g., the country of Brazil is going pro-Linux. Free/Open Source Software has a lot of advantages for poor and developing nations: it offers access to knowledge and information engineering skills of the most developed countries, it promotes technological independence and it is for free. So how come that GNU/Linux is not being used all over the place? Why is Brazil's approach towards free code something completely new? This lecture explains why software becomes an increasingly important political issue.

Authors: Meike RichterTags: technologyEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: What has software to do with development policy? A lot. Software is not only about code, it is about rights, control, transparency, freedom and power. Poorly educated people with little financial resources, mostly located in the Southern hemisphere, have little chance to have access to information and communication technologies (ICTs) and to the Internet. Since the mid-1990s, the so-called digital divide appeared on the political agenda. By providing access to ICTs, it is hoped to promote economical, political and social development as well. This lecture explains the digital divide and its implications and gives an overview of the different positions within the discourse. There are three different modes of argumentation: the optimists claiming the new ICTs could strengthen the voice of the poor and developing nations and of marginalized groups; sceptics who believe that new technology alone will make little difference; and pessimists who emphasize that digital technologies will further exacerbate the existing North-South divide. So far, the choice of the software model has hardly played a role in digital development policy. Proprietary architectures are the rule. Only in recent time, the nature of code becomes an issue. E.g., the country of Brazil is going pro-Linux. Free/Open Source Software has a lot of advantages for poor and developing nations: it offers access to knowledge and information engineering skills of the most developed countries, it promotes technological independence and it is for free. So how come that GNU/Linux is not being used all over the place? Why is Brazil's approach towards free code something completely new? This lecture explains why software becomes an increasingly important political issue.

College students have returned in droves to dorms and apartments at campuses everywhere. So this is the time of year we usually start seeing some coded entry hacks. [Charmonkey] recently took on the challenge at his new apartment. There were some caveats though. He needed to ensure the Landlord could still enter using a key, [...]

We’ve been living a life of luxury, writing our microcontroller code in a text editor and using — of all things — a compiler to turn it into something the chip can use. [Dan Amlund Thomsen] shows us a different way of doing things. He’s actually crafting the operation codes for a PIC microcontroller by [...]

[Jeremy Blum] wrote in to share his LibeTech QR Code Door Lock project. He developed it during his Senior year at Cornell University along with three of his classmates. It seeks to move away from magnetic card locks in favor of optical locks that authenticate based on a QR code. The hardware he’s using here [...]

This Metasploit module exploits abuses the FlashTunnelService SOAP web service on Oracle Business Transaction Management 12.1.0.7 to upload arbitrary files, without authentication, using the WriteToFile method. The same method contains a directory traversal vulnerability, which allows to upload the files to arbitrary locations. In order to execute remote code two techniques are provided. If the Oracle app has been deployed in the same WebLogic Samples Domain a JSP can be uploaded to the web root. If a new Domain has been used to deploy the Oracle application, the Windows Management Instrumentation service can be used to execute arbitrary code. Both techniques has been successfully tested on default installs of Oracle BTM 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are provided, but the user can configure the traversal depth using the DEPTH option.

This Metasploit module exploits abuses the FlashTunnelService SOAP web service on Oracle Business Transaction Management 12.1.0.7 to upload arbitrary files, without authentication, using the WriteToFile method. The same method contains a directory traversal vulnerability, which allows to upload the files to arbitrary locations. In order to execute remote code two techniques are provided. If the Oracle app has been deployed in the same WebLogic Samples Domain a JSP can be uploaded to the web root. If a new Domain has been used to deploy the Oracle application, the Windows Management Instrumentation service can be used to execute arbitrary code. Both techniques has been successfully tested on default installs of Oracle BTM 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are provided, but the user can configure the traversal depth using the DEPTH option.

This Metasploit module exploits abuses the FlashTunnelService SOAP web service on Oracle Business Transaction Management 12.1.0.7 to upload arbitrary files, without authentication, using the WriteToFile method. The same method contains a directory traversal vulnerability, which allows to upload the files to arbitrary locations. In order to execute remote code two techniques are provided. If the Oracle app has been deployed in the same WebLogic Samples Domain a JSP can be uploaded to the web root. If a new Domain has been used to deploy the Oracle application, the Windows Management Instrumentation service can be used to execute arbitrary code. Both techniques has been successfully tested on default installs of Oracle BTM 12.1.0.7, Weblogic 12.1.1 and Windows 2003 SP2. Default path traversal depths are provided, but the user can configure the traversal depth using the DEPTH option.

The vulnerability described in this document can be exploited by a malicious Web page to execute arbitrary code with low integrity. Active scripting must be enabled, and the present exploitation techniques require that font downloading be set to "Enable" or "Prompt" and that the "mailto:" protocol be present. (These requirements are satisfied by default on Windows XP, Windows Vista, and Windows 7.) The user is presented with a message box which must be dismissed before code execution can occur.

The vulnerability described in this document can be exploited by a malicious Web page to execute arbitrary code with low integrity. Active scripting must be enabled, and the present exploitation techniques require that font downloading be set to "Enable" or "Prompt" and that the "mailto:" protocol be present. (These requirements are satisfied by default on Windows XP, Windows Vista, and Windows 7.) The user is presented with a message box which must be dismissed before code execution can occur.

The vulnerability described in this document can be exploited by a malicious Web page to execute arbitrary code with low integrity. Active scripting must be enabled, and the present exploitation techniques require that font downloading be set to "Enable" or "Prompt" and that the "mailto:" protocol be present. (These requirements are satisfied by default on Windows XP, Windows Vista, and Windows 7.) The user is presented with a message box which must be dismissed before code execution can occur.

Authors: Andreas BogkHannes MehnertTags: secure developmentEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: An overview of the highly dynamic, object-oriented, functional programming language Dylan will be given. As an example a web-based network management tool will be demonstrated. Dylan is a fully buzzword-compliant language (object-oriented, dynamic, functional) which was developed by Apple, CMU and Harlequin back in the early 90s. While the Apple project was cancelled in the early beta testing stage due to financial trouble at Apple, both CMU and Harlequin finished their compilers. CMU released a Dylan-to-C batch compiler as open source. Harlequin produced a full-blown development environment, including an IDE with code browsers, a debugger, profiler, and a native compiler for x86. This compiler has been available commercially. After the bankrupt of Harlequin, the programmers bought the rights to their code, and after an unsuccessful attempt to sell it, recently decided to release it as open source too. Dylan is unique in that it combines both the ease of use and rapid prototyping features of very high level languages with high performance code execution, allowing the deployment of real-life production systems. Additionally, it is amongst the languages that prevent many of the the common exploitable bugs like buffer overflows, integer overflows, format string exploits, double frees, that plague programs written in C. Dylan is semantically closely related to Scheme, but comes with an Algol-like syntax that should be more convenient to the programmer than the S-expression syntax used by the Lisp family of languages. It features a well-integrated class system with dynamic types and multiple inheritance, polymorphism via generic functions, first class functions and matching higher-order functions, automatic memory management and a macro system that allows to extend the grammar of the language. This talk presents the Dylan language and its implementations. It also demonstrates a sample application for configuring switches, routers, DHCP- and DNS-servers for a network environment such as the one of the Chaos Communication Congress over a web interface, focusing on how usage of the Dylan language features allows construction of a powerful framework for such purposes.

Authors: Andreas BogkHannes MehnertTags: secure developmentEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: An overview of the highly dynamic, object-oriented, functional programming language Dylan will be given. As an example a web-based network management tool will be demonstrated. Dylan is a fully buzzword-compliant language (object-oriented, dynamic, functional) which was developed by Apple, CMU and Harlequin back in the early 90s. While the Apple project was cancelled in the early beta testing stage due to financial trouble at Apple, both CMU and Harlequin finished their compilers. CMU released a Dylan-to-C batch compiler as open source. Harlequin produced a full-blown development environment, including an IDE with code browsers, a debugger, profiler, and a native compiler for x86. This compiler has been available commercially. After the bankrupt of Harlequin, the programmers bought the rights to their code, and after an unsuccessful attempt to sell it, recently decided to release it as open source too. Dylan is unique in that it combines both the ease of use and rapid prototyping features of very high level languages with high performance code execution, allowing the deployment of real-life production systems. Additionally, it is amongst the languages that prevent many of the the common exploitable bugs like buffer overflows, integer overflows, format string exploits, double frees, that plague programs written in C. Dylan is semantically closely related to Scheme, but comes with an Algol-like syntax that should be more convenient to the programmer than the S-expression syntax used by the Lisp family of languages. It features a well-integrated class system with dynamic types and multiple inheritance, polymorphism via generic functions, first class functions and matching higher-order functions, automatic memory management and a macro system that allows to extend the grammar of the language. This talk presents the Dylan language and its implementations. It also demonstrates a sample application for configuring switches, routers, DHCP- and DNS-servers for a network environment such as the one of the Chaos Communication Congress over a web interface, focusing on how usage of the Dylan language features allows construction of a powerful framework for such purposes.

Authors: Andreas BogkHannes MehnertTags: secure developmentEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: An overview of the highly dynamic, object-oriented, functional programming language Dylan will be given. As an example a web-based network management tool will be demonstrated. Dylan is a fully buzzword-compliant language (object-oriented, dynamic, functional) which was developed by Apple, CMU and Harlequin back in the early 90s. While the Apple project was cancelled in the early beta testing stage due to financial trouble at Apple, both CMU and Harlequin finished their compilers. CMU released a Dylan-to-C batch compiler as open source. Harlequin produced a full-blown development environment, including an IDE with code browsers, a debugger, profiler, and a native compiler for x86. This compiler has been available commercially. After the bankrupt of Harlequin, the programmers bought the rights to their code, and after an unsuccessful attempt to sell it, recently decided to release it as open source too. Dylan is unique in that it combines both the ease of use and rapid prototyping features of very high level languages with high performance code execution, allowing the deployment of real-life production systems. Additionally, it is amongst the languages that prevent many of the the common exploitable bugs like buffer overflows, integer overflows, format string exploits, double frees, that plague programs written in C. Dylan is semantically closely related to Scheme, but comes with an Algol-like syntax that should be more convenient to the programmer than the S-expression syntax used by the Lisp family of languages. It features a well-integrated class system with dynamic types and multiple inheritance, polymorphism via generic functions, first class functions and matching higher-order functions, automatic memory management and a macro system that allows to extend the grammar of the language. This talk presents the Dylan language and its implementations. It also demonstrates a sample application for configuring switches, routers, DHCP- and DNS-servers for a network environment such as the one of the Chaos Communication Congress over a web interface, focusing on how usage of the Dylan language features allows construction of a powerful framework for such purposes.

This Metasploit module exploits a code execution flaw in HP SiteScope. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the getSiteScopeConfiguration operation, available through the APISiteScopeImpl AXIS service, to retrieve the administrator credentials and subsequently abuses the UploadManagerServlet to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2.

This Metasploit module exploits a code execution flaw in HP SiteScope. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the getSiteScopeConfiguration operation, available through the APISiteScopeImpl AXIS service, to retrieve the administrator credentials and subsequently abuses the UploadManagerServlet to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2.

This Metasploit module exploits a code execution flaw in HP SiteScope. It exploits two vulnerabilities in order to get its objective. An authentication bypass in the getSiteScopeConfiguration operation, available through the APISiteScopeImpl AXIS service, to retrieve the administrator credentials and subsequently abuses the UploadManagerServlet to upload an arbitrary payload embedded in a JSP. The module has been tested successfully on HP SiteScope 11.20 over Windows 2003 SP2.

Authors: Martin JohnsTags: buffer overflowEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: A talk that will present academic tools, which are designed to find or disarm security problems in C code The last years have proven that humans are notorious producers of insecure code. They also seem to have problems security bigs on their own. For this reason scientist spend a reasonable amount of time in developing ideas how to automate the process of finding those security bugs (using static analysis) or how to fix those bugs automatically (with dynamic measures which take effect on runtime). The talk will give an introduction to both approaches. The presented tools are aimed at problems that belong to the programming language C: Buffer Overflows, Format String Exploits and their friends. Static tools examine the source code before the compilation. Depending on the tool methods like functional verification, finite automatons or lattice theory are used to find security bugs. The talk will try to show, how these tools work and what their shortcomings are (e.g. to many false positives, no weighting, hard to configure,...) Dynamic tools alter the source code before or during the compilation. They try to add constructs to the control flow with additions that are supposed to prevent the exploitation of security flaws. Classic examples (Stack Guard) and modern approaches (StoBo) are presented and discussed. Only tools and methods that are applicable by the programmer are addressed. Methods of preventing exploitation by altering the underlying infrastructure (i.e. the OS) are omitted. The focus is on measures that can be employed by the actual programmer. We think it is important that the usage of these kind of tools (esp. static analysis) grows in the open source community. Commercial companies are employing static analysis on a broad basis nowadays (for example Microsoft requires their coders to use the tools PreFast and PreFix daily). Otherwise the security advantage, that open source claims to possess, may diminish.

Authors: Martin JohnsTags: buffer overflowEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: A talk that will present academic tools, which are designed to find or disarm security problems in C code The last years have proven that humans are notorious producers of insecure code. They also seem to have problems security bigs on their own. For this reason scientist spend a reasonable amount of time in developing ideas how to automate the process of finding those security bugs (using static analysis) or how to fix those bugs automatically (with dynamic measures which take effect on runtime). The talk will give an introduction to both approaches. The presented tools are aimed at problems that belong to the programming language C: Buffer Overflows, Format String Exploits and their friends. Static tools examine the source code before the compilation. Depending on the tool methods like functional verification, finite automatons or lattice theory are used to find security bugs. The talk will try to show, how these tools work and what their shortcomings are (e.g. to many false positives, no weighting, hard to configure,...) Dynamic tools alter the source code before or during the compilation. They try to add constructs to the control flow with additions that are supposed to prevent the exploitation of security flaws. Classic examples (Stack Guard) and modern approaches (StoBo) are presented and discussed. Only tools and methods that are applicable by the programmer are addressed. Methods of preventing exploitation by altering the underlying infrastructure (i.e. the OS) are omitted. The focus is on measures that can be employed by the actual programmer. We think it is important that the usage of these kind of tools (esp. static analysis) grows in the open source community. Commercial companies are employing static analysis on a broad basis nowadays (for example Microsoft requires their coders to use the tools PreFast and PreFix daily). Otherwise the security advantage, that open source claims to possess, may diminish.

Authors: Martin JohnsTags: buffer overflowEvent: Chaos Communication Congress 22th (22C3) 2005Abstract: A talk that will present academic tools, which are designed to find or disarm security problems in C code The last years have proven that humans are notorious producers of insecure code. They also seem to have problems security bigs on their own. For this reason scientist spend a reasonable amount of time in developing ideas how to automate the process of finding those security bugs (using static analysis) or how to fix those bugs automatically (with dynamic measures which take effect on runtime). The talk will give an introduction to both approaches. The presented tools are aimed at problems that belong to the programming language C: Buffer Overflows, Format String Exploits and their friends. Static tools examine the source code before the compilation. Depending on the tool methods like functional verification, finite automatons or lattice theory are used to find security bugs. The talk will try to show, how these tools work and what their shortcomings are (e.g. to many false positives, no weighting, hard to configure,...) Dynamic tools alter the source code before or during the compilation. They try to add constructs to the control flow with additions that are supposed to prevent the exploitation of security flaws. Classic examples (Stack Guard) and modern approaches (StoBo) are presented and discussed. Only tools and methods that are applicable by the programmer are addressed. Methods of preventing exploitation by altering the underlying infrastructure (i.e. the OS) are omitted. The focus is on measures that can be employed by the actual programmer. We think it is important that the usage of these kind of tools (esp. static analysis) grows in the open source community. Commercial companies are employing static analysis on a broad basis nowadays (for example Microsoft requires their coders to use the tools PreFast and PreFix daily). Otherwise the security advantage, that open source claims to possess, may diminish.

This Metasploit module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary Java code outside the sandbox. The vulnerability seems to be related to the use of the newly introduced ClassFinder#resolveClass in Java 7, which allows the sun.awt.SunToolkit class to be loaded and modified. Please note this flaw is also being exploited in the wild, and there is no patch from Oracle at this point. Our module has been successfully tested on multiple setups, including: IE, Firefox, Chrome and Safari on Windows, Linux and OS X, etc.

This Metasploit module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary Java code outside the sandbox. The vulnerability seems to be related to the use of the newly introduced ClassFinder#resolveClass in Java 7, which allows the sun.awt.SunToolkit class to be loaded and modified. Please note this flaw is also being exploited in the wild, and there is no patch from Oracle at this point. Our module has been successfully tested on multiple setups, including: IE, Firefox, Chrome and Safari on Windows, Linux and OS X, etc.

This Metasploit module exploits a vulnerability in Java 7, which allows an attacker to run arbitrary Java code outside the sandbox. The vulnerability seems to be related to the use of the newly introduced ClassFinder#resolveClass in Java 7, which allows the sun.awt.SunToolkit class to be loaded and modified. Please note this flaw is also being exploited in the wild, and there is no patch from Oracle at this point. Our module has been successfully tested on multiple setups, including: IE, Firefox, Chrome and Safari on Windows, Linux and OS X, etc.

Zero Day Initiative Advisory 12-157 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of Series records. The code within Excel.exe makes an assumption about the data types within a Series record and can be made to write beyond the bounds of a heap buffer when a specific combination of fields are set to unexpected values. This corruption can be leveraged to achieve code execution under the context of the user running the application.

Zero Day Initiative Advisory 12-157 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of Series records. The code within Excel.exe makes an assumption about the data types within a Series record and can be made to write beyond the bounds of a heap buffer when a specific combination of fields are set to unexpected values. This corruption can be leveraged to achieve code execution under the context of the user running the application.

Zero Day Initiative Advisory 12-157 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office Excel. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of Series records. The code within Excel.exe makes an assumption about the data types within a Series record and can be made to write beyond the bounds of a heap buffer when a specific combination of fields are set to unexpected values. This corruption can be leveraged to achieve code execution under the context of the user running the application.

Zero Day Initiative Advisory 12-150 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable products utilizing the Oracle Outside In Technology. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XPM files. When parsing the chars_per_pixel element the code within vsgdsf.dll does not validate that the data can fit within a stack buffer prior to copying it. This can be leveraged by a remote attacker to execute code under the context of the user running the application.

Zero Day Initiative Advisory 12-150 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable products utilizing the Oracle Outside In Technology. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XPM files. When parsing the chars_per_pixel element the code within vsgdsf.dll does not validate that the data can fit within a stack buffer prior to copying it. This can be leveraged by a remote attacker to execute code under the context of the user running the application.

Zero Day Initiative Advisory 12-150 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable products utilizing the Oracle Outside In Technology. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XPM files. When parsing the chars_per_pixel element the code within vsgdsf.dll does not validate that the data can fit within a stack buffer prior to copying it. This can be leveraged by a remote attacker to execute code under the context of the user running the application.

Zero Day Initiative Advisory 12-141 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the .NET Framework. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw exists within Microsoft .NET XAML Browser Application (XBAP) handling of Clipboard object data. It is possible to cause unsafe memory access within System.Windows.Forms.Clipboard, allowing an attacker to control the memory used by an object's native code. This unsafe access allows for control of a function pointer, which can be exploited to remotely execute code. In the case of Internet Explorer, execution of attacker code occurs outside of the Protected Mode sandbox.

Zero Day Initiative Advisory 12-141 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the .NET Framework. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw exists within Microsoft .NET XAML Browser Application (XBAP) handling of Clipboard object data. It is possible to cause unsafe memory access within System.Windows.Forms.Clipboard, allowing an attacker to control the memory used by an object's native code. This unsafe access allows for control of a function pointer, which can be exploited to remotely execute code. In the case of Internet Explorer, execution of attacker code occurs outside of the Protected Mode sandbox.

Zero Day Initiative Advisory 12-141 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the .NET Framework. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The flaw exists within Microsoft .NET XAML Browser Application (XBAP) handling of Clipboard object data. It is possible to cause unsafe memory access within System.Windows.Forms.Clipboard, allowing an attacker to control the memory used by an object's native code. This unsafe access allows for control of a function pointer, which can be exploited to remotely execute code. In the case of Internet Explorer, execution of attacker code occurs outside of the Protected Mode sandbox.

The vulnerability described in this document can be exploited by a malicious Web page to execute arbitrary code with low integrity. Active scripting must be enabled, and the present exploitation techniques require that font downloading be set to "Enable" or "Prompt" and that the "mailto:" protocol be present. (These requirements are satisfied by default on Windows XP, Windows Vista, and Windows 7.) The user is presented with a message box which must be dismissed before code execution can occur.

The vulnerability described in this document can be exploited by a malicious Web page to execute arbitrary code with low integrity. Active scripting must be enabled, and the present exploitation techniques require that font downloading be set to "Enable" or "Prompt" and that the "mailto:" protocol be present. (These requirements are satisfied by default on Windows XP, Windows Vista, and Windows 7.) The user is presented with a message box which must be dismissed before code execution can occur.

The vulnerability described in this document can be exploited by a malicious Web page to execute arbitrary code with low integrity. Active scripting must be enabled, and the present exploitation techniques require that font downloading be set to "Enable" or "Prompt" and that the "mailto:" protocol be present. (These requirements are satisfied by default on Windows XP, Windows Vista, and Windows 7.) The user is presented with a message box which must be dismissed before code execution can occur.

The Timed Interactive Multimedia Extensions (aka HTML+TIME) implementation in Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that was not properly initialized or is deleted, aka "Time Element Memory Corruption Vulnerability." This is an exploit for the vulnerability noted in MS11-050.

The Timed Interactive Multimedia Extensions (aka HTML+TIME) implementation in Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that was not properly initialized or is deleted, aka "Time Element Memory Corruption Vulnerability." This is an exploit for the vulnerability noted in MS11-050.

The Timed Interactive Multimedia Extensions (aka HTML+TIME) implementation in Microsoft Internet Explorer 6 through 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that was not properly initialized or is deleted, aka "Time Element Memory Corruption Vulnerability." This is an exploit for the vulnerability noted in MS11-050.

Did you know it’s possible to write Javascript code without using any letters or numbers at all? Well, it’s not just Javascript, but that’s the language used in this demonstration. [Patricio Palladino] shows how code can be written using just eight characters, and all of them are punctuation marks. Typecasting is the name of the [...]

Authors: Felix von LeitnerTags: C / C++Event: Chaos Communication Camp 2007Abstract: The selling points for C++ are mostly focused on how it supposedly makes it easier to write code. This talk will argue that it is much more important to make code easy to read, and in that respect C++ is a huge regression compared to C. The talk is mostly from the perspective of a professional code auditor. The point of the talk is to get people to think about how others (and themselves!) will have to read and understand the code in the future. This point is also true for other programming languages, so this is not just about C++ bashing, it is about showing what coding style is good for future generations and which will just get you in trouble. The examples will mostly be C++, obviously, but people from other programming languages might learn a thing or two from the talk, too.

Authors: Felix von LeitnerTags: C / C++Event: Chaos Communication Camp 2007Abstract: The selling points for C++ are mostly focused on how it supposedly makes it easier to write code. This talk will argue that it is much more important to make code easy to read, and in that respect C++ is a huge regression compared to C. The talk is mostly from the perspective of a professional code auditor. The point of the talk is to get people to think about how others (and themselves!) will have to read and understand the code in the future. This point is also true for other programming languages, so this is not just about C++ bashing, it is about showing what coding style is good for future generations and which will just get you in trouble. The examples will mostly be C++, obviously, but people from other programming languages might learn a thing or two from the talk, too.

Zero Day Initiative Advisory 12-133 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE iFix. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ihDataArchiver.exe process which listens by default on TCP port 14000. Several errors are present in the code responsible for parsing data from the network. By providing malformed data for opcodes 6, 7, 8, 10, and 12 the process can be made to corrupt memory which can lead to arbitrary code execution in the context of the user running the service.

Zero Day Initiative Advisory 12-133 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE iFix. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ihDataArchiver.exe process which listens by default on TCP port 14000. Several errors are present in the code responsible for parsing data from the network. By providing malformed data for opcodes 6, 7, 8, 10, and 12 the process can be made to corrupt memory which can lead to arbitrary code execution in the context of the user running the service.

Zero Day Initiative Advisory 12-133 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of GE iFix. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ihDataArchiver.exe process which listens by default on TCP port 14000. Several errors are present in the code responsible for parsing data from the network. By providing malformed data for opcodes 6, 7, 8, 10, and 12 the process can be made to corrupt memory which can lead to arbitrary code execution in the context of the user running the service.

A patch introduced a signedness bug causing any program compiled against the vulnerable version of eglibc and using optimized functions such as memcpy_ssse3 and memcpy-ssse3-back to be potentially vulnerable to unexpected code execution.

A patch introduced a signedness bug causing any program compiled against the vulnerable version of eglibc and using optimized functions such as memcpy_ssse3 and memcpy-ssse3-back to be potentially vulnerable to unexpected code execution.

A patch introduced a signedness bug causing any program compiled against the vulnerable version of eglibc and using optimized functions such as memcpy_ssse3 and memcpy-ssse3-back to be potentially vulnerable to unexpected code execution.

Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to create a denial of service condition, preventing the product from responding to new connection requests and potentially causing some services and processes to crash. Exploitation of the Cisco TelePresence Web Interface Command Injection may allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released updated software that resolves the command and code execution vulnerabilities. There are currently no plans to resolve the malformed IP packets denial of service vulnerability, as this product is no longer being actively supported. There are no workarounds that mitigate these vulnerabilities. Customers should contact their Cisco Sales Representative to determine the Business Unit responsible for their Cisco TelePresence Recording Server.

Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to create a denial of service condition, preventing the product from responding to new connection requests and potentially causing some services and processes to crash. Exploitation of the Cisco TelePresence Web Interface Command Injection may allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released updated software that resolves the command and code execution vulnerabilities. There are currently no plans to resolve the malformed IP packets denial of service vulnerability, as this product is no longer being actively supported. There are no workarounds that mitigate these vulnerabilities. Customers should contact their Cisco Sales Representative to determine the Business Unit responsible for their Cisco TelePresence Recording Server.

Cisco Security Advisory - Exploitation of the Cisco TelePresence Malformed IP Packets Denial of Service Vulnerability may allow a remote, unauthenticated attacker to create a denial of service condition, preventing the product from responding to new connection requests and potentially causing some services and processes to crash. Exploitation of the Cisco TelePresence Web Interface Command Injection may allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Exploitation of the Cisco TelePresence Cisco Discovery Protocol Remote Code Execution Vulnerability may allow allow an unauthenticated, adjacent attacker to execute arbitrary code with elevated privileges. Cisco has released updated software that resolves the command and code execution vulnerabilities. There are currently no plans to resolve the malformed IP packets denial of service vulnerability, as this product is no longer being actively supported. There are no workarounds that mitigate these vulnerabilities. Customers should contact their Cisco Sales Representative to determine the Business Unit responsible for their Cisco TelePresence Recording Server.

Ubuntu Security Notice 1495-1 - Integer overflows were discovered in the graphics loading code of several different image types. If a user were tricked into opening a specially crafted file, an attacker could cause LibreOffice to crash or possibly execute arbitrary code with the privileges of the user invoking the program. Sven Jacobi discovered an integer overflow when processing Escher graphics records. If a user were tricked into opening a specially crafted PowerPoint file, an attacker could cause LibreOffice to crash or possibly execute arbitrary code with the privileges of the user invoking the program. Various other issues were also addressed.

Ubuntu Security Notice 1495-1 - Integer overflows were discovered in the graphics loading code of several different image types. If a user were tricked into opening a specially crafted file, an attacker could cause LibreOffice to crash or possibly execute arbitrary code with the privileges of the user invoking the program. Sven Jacobi discovered an integer overflow when processing Escher graphics records. If a user were tricked into opening a specially crafted PowerPoint file, an attacker could cause LibreOffice to crash or possibly execute arbitrary code with the privileges of the user invoking the program. Various other issues were also addressed.

Ubuntu Security Notice 1495-1 - Integer overflows were discovered in the graphics loading code of several different image types. If a user were tricked into opening a specially crafted file, an attacker could cause LibreOffice to crash or possibly execute arbitrary code with the privileges of the user invoking the program. Sven Jacobi discovered an integer overflow when processing Escher graphics records. If a user were tricked into opening a specially crafted PowerPoint file, an attacker could cause LibreOffice to crash or possibly execute arbitrary code with the privileges of the user invoking the program. Various other issues were also addressed.

Python-wrapper executes any test.py script within the current working directory, when supplied with help('modules'). A non-privileged user may gain code execution by tricking root to help('modules') or help() and then modules from within python-wrapper while within a non-privileged user's work directory.

Python-wrapper executes any test.py script within the current working directory, when supplied with help('modules'). A non-privileged user may gain code execution by tricking root to help('modules') or help() and then modules from within python-wrapper while within a non-privileged user's work directory.

Python-wrapper executes any test.py script within the current working directory, when supplied with help('modules'). A non-privileged user may gain code execution by tricking root to help('modules') or help() and then modules from within python-wrapper while within a non-privileged user's work directory.

A vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle AutoVue. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the AutoVueX.ocx ActiveX object. There exists a method SetMarkupMode() that takes an unbounded string as an argument and copies it to a fixed-length buffer on the stack. This can lead to memory corruption which can be leveraged to execute code under the context of the process.